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DETAILED ACTION 

1 . Claims 1-24 are pending in this application. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-3, 5-11, 13-18 and 20-24 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Porras et al. (Patent No.: US 6,704,874 B1), hereinafter Porras in 
view of Berthaud et al. (Patent No.: US 6,157,957). 

4. As to claim 1 , Porras discloses a network security system (abstract) comprising: 
a first distributed software agent to collect a first stream of alerts from a first network 
security device having a first clock (FIG. 1, column 3, lines 30-65; column 4, lines 10-22 
and column 6, lines 13-17), each alert in the first stream representing an event detected 
by the first network security device and including a time of detection by the first network 
security device according to the first clock (column 6, lines 13-17); a second distributed 
software agent to collect a second stream of alerts from a second network security 
device having a second clock (FIG. 1, items 12-16 referred to different networks, 
column 3, lines 30-65; column 4, lines 10-22 and column 6, lines 13-17), each alert in 
the second stream representing an event detected by the second network security 
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device and including a time of detection by the second network security device 
according to the second clock (column 6, lines 13-17); and a manager module in 
communication with the distributed software agents to receive the first and second 
stream of alerts (FIG. 1, column 3, lines 62-67 and column 4, lines 10-26), identify a 
common event represented by a first alert in the first stream from the first network 
security device and by a second alert in the second stream from the second network 
security device (column 6, lines 19-27 and column 8, lines 37-47). 

Porras doesn't explicitly disclose synchronizing first clofi&and second clock using 
common event. However, Berthaud discloses synchronizing first close and second clock 
using common event (FIG. 2, column 9, lines 35-60). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing first 
close and second clock using common event as taught by Berthaud in order to 
"regularly compute parameters necessary for elaborating a continuous conversion 
function." (Berthaud) 

5. As to claim 9, Porras discloses a method performed by a network security 
system, the method (abstract) comprising: receiving a first stream of alerts from a first 
network security device having a first clock (FIG. 1 , column 3, lines 30-65; column 4, 
lines 10-22 and column 6, lines 13-17), each alert in the first stream representing an 
event detected by the first network security device and including a time of detection by 
the first network security device according to the first clock (column 6, lines 13-17); 
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receiving a second stream of alerts from a second network security device having a 
second clock (FIG. 1, items 12-16 referred to different networks, column 3, lines 30-65; 
column 4, lines 10-22 and column 6, lines 13-17), each alert in the second stream 
representing an event detected by the second network security device and including a 
time of detection by the second network security device according to the second clock 
(column 6, lines 13-17); identifying a common event represented by a first alert in the 
first stream from the first network security device and by a second alert in the second 
stream from the second network security device (FIG. 1, column 3, lines 62-67 and 
column 4, lines 10-26; column 6, lines 19-27 and column 8, lines 37-47). 

Porras doesn't explicitly disclose synchronizing first clod(and second clock using 
common event. However, Berthaud discloses synchronizing first close and second clock 
using common event (FIG. 2, column 9, lines 35-60). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing first 
close and second clock using common event as taught by Berthaud in order to 
"regularly compute parameters necessary for elaborating a continuous conversion 
function." (Berthaud) 

6. As to claim 16, Porras discloses a machine readable medium storing a set of 
instructions that, when executed by the machine (FIG. 1), cause the machine to: receive 
a first stream of alerts from a first network security device having a first clock (FIG. 1 , 
column 3, lines 30-65; column 4, lines 10-22 and column 6, lines 13-17), each alert in 
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the first stream representing an event detected by the first network security device and 
including a time of detection by the first network security device according to the first 
clock (column 6, lines 13-17); receive a second stream of alerts from a second network 
security device having a second clock (FIG. 1, items 12-16 referred to different 
networks, column 3, lines 30-65; column 4, lines 10-22 and column 6, lines 13-17), each 
alert in the second stream representing an event detected by the second network 
security device and including a time of detection by the second network security device 
according to the second clock (column 6, lines 13-17); identify a common event 
represented by a first alert in the first stream from the first network security device and 
by a second alert in the second stream from the second network security device (FIG. 1 , 
column 3, lines 62-67 and column 4, lines 10-26; column 6, lines 19-27 and column 8, 
lines 37-47). 

Porras doesn't explicitly disclose synchronizing first clocfcand second clock using 
common event. However, Berthaud discloses synchronizing first close and second clock 
using common event (FIG. 2, column 9, lines 35-60). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing first 
close and second clock using common event as taught by Berthaud in order to 
"regularly compute parameters necessary for elaborating a continuous conversion 
function." (Berthaud) 
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7. As to claims 2, 10 and 17, Porras discloses the network security system wherein 
the manager module determines a synchronization error using the time of detection of 
the common event in the first alert and the time of detection of the common event in the 
second alert (column 6, lines 18-27 and column 8, lines 37-51). 

Porras doesn't explicitly disclose synchronizing the first clock and the second 
clock and correcting the synchronization error based on common event. However, 
Berthaud discloses synchronizing first clock and second clock and correcting 
synchronization error using common event (FIG. 2, column 9, lines 35-60). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing the 
first clock and the second clock and correcting the synchronization error based on 
common event as taught by Berthaud in order to "regularly compute parameters 
necessary for elaborating a continuous conversion function." (Berthaud) 

8. As to claims 3, 1 1 and 18, Porras doesn't explicitly disclose synchronizing the 
first clock and the second clock by selecting one of the first and second clocks as a 
reference clock, and adjusting the other clock to the reference clock. However, 
Berthaud discloses synchronizing the first clock and the second clock by selecting one 
of the first and second clocks as a reference clock, and adjusting the other clock to the 
reference clock (column 2, lines 42-61). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing the 
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first clock and the second clock by selecting one of the first and second clocks as a 
reference clock, and adjusting the other clock to the reference clock as taught by 
Berthaud in order to provide accurate converted time values with a predetermined 
precision. 

9. As to claims 5, 13 and 20, Porras doesn't explicitly disclose synchronizing the 
first clock and the second clock by adjusting a time offset associated with the first clock. 
However, Berthaud discloses synchronizing the first clock and the second clock by 
adjusting a time offset associated with the first clock (column 3, lines 1-5; column 5, 
lines 15-67 and column 6, lines 1-45). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing the 
first clock and the second clock by adjusting a time offset associated with the first clock 
as taught by Berthaud in order to "regularly compute parameters necessary for 
elaborating a continuous conversion function." (Berthaud) 

10. As to claims 6, 14 and 21 , Porras discloses the network security system wherein 
the manager module identifies a common event by detecting a new Internet Protocol 
(IP) address in the first alert and the second alert (column 6, lines 13-17). 
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11. As to claims 7, 1 5 and 22, Porras discloses the network security system wherein 
the manager module identifies a common event by determining that the second alert is 
corroborative of the first alert (column 6, lines 13-27 and column 8, lines 37-51). 

12. As to claim 8, Porras discloses the network security system wherein the first 
network security device comprises an Intrusion Detection System (IDS) (column 2, lines 
18-38). 

13. As to claim 23, Porras discloses a network security system (abstract) comprising: 
a plurality of distributed software agents to each collect alerts from a plurality of 
corresponding network security devices (FIG. 1, column 3, lines 30-65; column 4, lines 
10-22 and column 6, lines 13-17); and a manager module in communication with the 
distributed software agents to receive the alerts (column 3, lines 62-67 and column 4, 
lines 10-26), identify a common event represented by alerts from a subset of the 
plurality of network security devices (column 6, lines 19-27 and column 8, lines 37-47). 

Porras doesn't explicitly disclose synchronizing the subset of network security 
devices using the common event. However, Berthaud discloses synchronizing the 
subset of network security devices using the common event. 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing the 
subset of network security devices using the common event as taught by Berthaud in 
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order to "regularly compute parameters necessary for elaborating a continuous 
conversion function." (Berthaud) 

14. As to claim 24, Porras doesn't explicitly disclose synchronizing the subset of 
network security devices by adjusting timestamps in each alert received from the subset 
of network security devices. However, Berthaud discloses synchronizing the subset of 
network security devices by adjusting timestamps in each alert received from the subset 
of network security devices (column 3, lines 1-5; column 5, lines 15-67 and column 6, 
lines 1-45). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras by synchronizing the 
subset of network security devices by adjusting timestamps in each alert received from 
the subset of network security devices as taught by Berthaud in order to "regularly 
compute parameters necessary for elaborating a continuous conversion function." 
(Berthaud) 

15. Claims 4, 12 and 19 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Porras in view of Berthaud and further in view of Apel et al. (Patent No.: US 
6,760,687 B2), hereinafter Apel. 

16. As to claims 4, 12 and 19, neither Porras nor Berthaud explicitly discloses 
wherein selecting one of the first and second clocks comprises determining a 
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relationship of the first and second clocks to a system-wide reference clock. However, 
Apel disclose wherein selecting one of the first and second clocks comprises 
determining a relationship of the first and second clocks to a system-wide reference 
clock (column 9, lines 8-15 and lines 60-65). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the teaching of Porras and Berthaud by 
selecting one of the first and second clocks comprises determining a relationship of the 
first and second clocks to a system-wide reference clock as taught by Apel in order to 
"provide a highly accurate and flexible system" (Apel) 

Conclusion 

17. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. See accompanying PTO 892. 

Liou et al. (Pub No.: US 2002/0136335 A1) discloses method for synchronizing 
clock in distributed systems. 

Turaki (Patent No.: US 5402394) discloses method for synchronizing clock based 
on common time base by selecting a reference clock. 

Hein (Patent No.: US 6,148,049) discloses a method for synchronizing clock 
based on evaluating a value and a time of received timemark data. 

Connary et al. (Pub. NO.: US 2004/0044912 A1) discloses determing threat level 
associated with network activity. 
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1 8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Suman Debnath whose telephone number is 571 270 
1256. The examiner can normally be reached on 8 am to 5 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on 571 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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